Hi oldschoolrock09,
Welcome to Techspot!
My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.
--------------------------------------------------------------------------------
Download the ATF cleaner program from
HERE and save it to your desktop.
*Run it after the next step while still in safe mode
---------------------------------------------------------------------------------
*Copy and paste the next 2 section into notepad and save it to your desktop to have while in safe mode*
Run Smitfraudfix
- Download Smitfraudfix by S!ri from HERE
- Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
- Double-click SmitfraudFix.exe
- Select 2 and hit Enter to delete infected files.
- You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
- A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
---------------------------------------------------------------------------------------
While still in Safe Mode
Double-click
ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the
Empty Selected button.
Firefox or Opera:
Click
Firefox or
Opera at the top and choose:
Select All
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
NO at the prompt.
Click
Exit on the
Main menu to close the program.
You can now boot into Normal Mode
--------------------------------------------------------------------------------------
Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting
ALL of them and pressing
CTRL + C (or, after highlighting, right-click and choose copy):
"C:\Program Files\Browser MOUSE\bak\mouse32a.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\ezSP_Px.exe"
"C:\WINDOWS\system32\bak\hphmon04.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\bak\hphupd04.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe"
"D:\HP Share-to-Web\bak\hpgs2wnd.exe"
"D:\HP Software Update\bak\HPWuSchd2.exe"
"D:\program files\bak\qttask.exe"
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Press 2 then Enter
- Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
- Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
- The program will proceed to move the legit files and will perform another scan for bak folders.
- It may take a few minutes to complete, so please be patient.
- When it is complete, it will open a text file in Notepad called AWF.txt.
- Please attach AWF.txt file in your next reply
------------------------------------------------------------------------------------------
Right click on this link
DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.
Open Internet Explorer
click tools -> internet options.
Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.
Warning! Do not click the links below in the qoute box.
Click ok, then ok again and close IE. reboot your system.
-----------------------------------------------------------------------------------
Come back here and post the logs that I asked for above. Also only use internet explorer if you absolutely have to, or if I ask you to: Here are 2 more secure browsers to choose from:
1)Firefox ->
http://www.mozilla.com/en-US/firefox/
2)Opera ->
http://www.opera.com/
The instructions in this thread are for the use of oldschoolrock09 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.